What is claimed: 

1 I. A method of improving security processing in a computing network, comprising steps of: 

2 providing a security offload component which performs security handshake processing; 

3 and 

4 providing a control function in an operating system kernel for initiating operation of the 

5 security handshake processing by the security offload component. 

1 2. The method according to Claim 1, further comprising the step of executing the provided 

2U control function, thereby initiating operation of the security handshake processing. 

Q 
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it 3. The method according to Claim 1, wherein the operating system kernel maintains control 

%l over operation of the security handshake processing. 

P 4. The method according to Claim 1 , wherein the operating system kernel does not 

if} 

j?* participate in operation of the security handshake processing. 

1 5 . The method according to Claim 1 , wherein the control function farther specifies 

2 information to be used by the security offload component during the security handshake 

3 processing. 
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2 



6, The method according to Claim 5, wherein the specified information comprises one or 
more of: a connection identifier; a security role; one or more security versions supported; and 
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3 cipher suites options. 

1 7. The method according to Claim 1, wherein: 

2 the operating system kernel does not participate in operation of the security handshake 

3 processing; 

4 the control function further specifies information to be used by the security offload 

5 component during the security handshake processing; and 

6 the specified information comprises one or more of: a connection identifier; a security 
7u role; one or more security versions supported; cipher suites options; and security certificate key 
Jp ring information. 
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i T 8. The method according to Claim 7, wherein the specified information further comprises 

if 

2*= segment size and sequence number information to be used when transmitting messages of the 

S3 security handshake processing. 

i if i 

1 9. The method according to Claim 7, further comprising the step of sending a completion 

2 response from the security offload component to the operating system kernel upon completion of 

3 the security handshake processing, wherein the completion response conveys information for use 

4 by the operating system kernel in carrying out secure communications on a secure session which 

5 results from the security handshake processing. 

1 10. The method according to Claim 9, wherein the conveyed information comprises one or 
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2 more of: an identifier of the secure session; one or more session keys; a current sequence number 

3 for messages of the secure session; a cipher suite to be used for the secure session; a protocol 

4 version to be used for the secure session; and a digital certificate or other security credentials, 

1 11. The method according to Claim 1 , wherein the operating system kernel maintains control 

2 over operation of the security handshake processing, and wherein the operating system kernel 

3 provides one or more message segments to the security offload component for use by the security 

4 offload component in completing steps of the security handshake processing. 

P 12. The method according to Claim 1 1, wherein a selected one of the one or more message 

2fl segments directs the security offload component in a client device to perform random number 

m 

3 1 generation when creating an initial handshake message to transmit to a server device. 

i : 
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;|f 13. The method according to Claim 12, wherein the initial handshake message is a Client 

j2* Hello message. 

1 14. The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a server device to perform random number 

3 generation when creating an initial handshake response message to transmit to a client device. 

1 15. The method according to Claim 14, wherein the initial handshake response message is a 

2 Server Hello message. 
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1 1 6. The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a server device to decode a client security 

3 certificate which has been transmitted from a client device. 

1 17. The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a client device to decode a server security 

3 certificate which has been transmitted from a server device. 

1(3 1 8. The method according to Claim 1 1, wherein a selected one of the one or more message 

Q 

1/1 segments directs the security offload component in a client device to generate and encrypt a pre- 

3p master security secret to be transmitted to a server device. 

1 3 1 9. The method according to Claim 1 8, wherein the encryption of the pre-master security 

2 K ; £ secret uses a public key of the server device. 

1 20. The method according to Claim 1 1 , wherein a selected one of the one or more message 

2 segments directs the security offload component in a server device to decrypt a pre-master 

3 security secret transmitted from a client device. 

1 21 . The method according to Claim 20, wherein the decryption of the pre-master security 

2 secret uses a private key of the server device. 
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1 22. The method according to Claim 1 1 , wherein a selected one of the one or more message 

2 segments directs the security offload component in a client device to compute one or more master 

3 security secrets and one or more session cryptography keys to be transmitted to a server device. 

1 23 . The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a server device to compute one or more 

3 master security secrets and one or more session cryptography keys to be transmitted to a client 

4U device. 
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1 ~f 24. The method according to Claim 1 1, wherein a selected one of the one or more message 

! -. r i 

2l segments directs the security offload component in a client device to digitally sign a message to be 

3 •* transmitted to a server device. 

1 li 

H 25. The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a server device to validate a digital signature 

3 of a message received from a client device. 

1 26. The method according to Claim 1 1 , wherein a selected one of the one or more message 

2 segments directs the security offload component in a client device to compute a message 

3 authentication code ( <€ MAC 5 ) of the security handshake, wherein the computed MAC is to be 

4 transmitted to a server device. 
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1 27. The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a server device to compute a message 

3 authentication code ("MAC") of the security handshake, wherein the computed MAC is to be 

4 transmitted to a client device. 

1 28. The method according to Claim 1 1, wherein a selected one of the one or more message 

2 segments directs the security offload component in a client device to validate a message 

3 i, b l authentication code ("MAC") of the security handshake, wherein the MAC was transmitted from 
4Q a server device. 
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1 HI 29. The method according to Claim 1 1 , wherein a selected one of the one or more message 

2 -i. segments directs the security offload component in a server device to validate a message 

3i3 authentication code ( CC MAC") of the security handshake, wherein the MAC was transmitted from 

4*; a client device. 

1 30. The method according to Claim 1 1, further comprising the step of sending a completion 

2 response from the security offload component to the operating system kernel upon completion of 

3 the security handshake processing, wherein the completion response conveys information for use 

4 by the operating system kernel in carrying out secure communications on a secure session which 

5 results from the security handshake processing. 
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31. The method according to Claim 30, wherein the conveyed information comprises one or 
more of: an identifier of the secure session; one or more session keys; a current sequence number 
for messages of the secure session; a cipher suite to be used for the secure session; a protocol 
version to be used for the secure session; and a digital certificate or other security credentials. 

32. The method according to Claim 3 1 , wherein the conveyed information further comprises a 
current transmission control sequence number for transmitting messages of the secure session. 

33 . A method of improving security processing in a computing network, comprising steps of: 
providing a security offload component which performs security session establishment and 

control processing; and 

providing a control function in an operating system kernel for initiating operation of the 
security establishment and control processing by the security offload component. 

34. A system for improving security processing in a computing network, comprising: 
means for performing security session establishment and control processing in a security 

offload component; and 

means for executing a control function in an operating system kernel, thereby initiating 
operation of the means for performing security establishment and control processing by the 
security offload component. . 



35. A computer program product for improving security processing in a computing network, 
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the computer program product embodied on one or more computer-readable media and 
comprising: 

computer-readable program code means for performing security session establishment and 
control processing in a security offload component; and 

computer-readable program code means for executing a control function in an operating 
system kernel, thereby initiating operation of the computer-readable program code means for 
performing security establishment and control processing by the security offload component. 
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